Buuctf crackme personal gains and Solutions
Summer man 2021-06-04 09:55:39

This question took me nearly two days , In the meantime, because of watching wp I can't understand it at all. I'm crazy to ask for advice , Finally, I debugged it myself . It's not easy , And I really learned a lot , Record here .

After downloading the program of the title , Check the shell , I found that Maud

Open the program first , The program asks us to enter a user name and password , understand .

throw sth. into ida

Enter the main function wmain



  Change the name of the function to a word that you can understand



  From here while And the innermost one break You know , To jump out of the loop , These two if All have to be satisfied


First, let's analyze the first if, Click in sub_401830 And start analyzing



  Because of this if To establish , So this return The following expression must be true , And v14==43924 establish , We're going back here ( Literally )




There's a lot going on here if Judge , According to experience, we can put if The following numbers press r Convert to character , Here we guess if When all are satisfied, the result is just equal to 43924( I can't figure out if I don't guess , All analysis .. It's scary to think about )

You can write a python The script validates our guess



  Why , The answer is not 43924, Why is that ( Stick reading )

Turned out to be




  There are two options for this place , I chose the one above .

After changing to the one below



perfect . The resulting v17 by "dbappsec" 

ok, Continue to push back



  The first time I did this, I analyzed them for a long time , I don't know what this is , After checking on the Internet, it is found that it is an anti debugging function , I don't care .

Because we've got v17, At the same time, the user name also knows that it is welcomebeijing, At the beginning, it was said that the user name should be entered when the program was started . So we can use ollydbg The method of dynamic debugging comes to byte_416050 Value

Drag in ollydbg, After calculating the dynamic migration , Execution procedure



  enter one user name welcomebeijing



  Now we stop , find ida Of



  The address of



  The upper one xor eax,ecx That's the key step , Symbolize



  XOR here , And from the assembly code above, we can see the movzx   ecx, [ebp+var_209] Yes, it will byte_416050 The value of the ecx, Here ecx The value of is what we want to know !

thus , We got ideas , stay xor Bottom breakpoint , Stop the program at each run time xor The previous order of , It's easy for us to know ecx Value .



  And then back to the program , Just type in a password ( It's going to end up there anyway






  Did you see? ,ecx Value .

because while(v6<8), So it's implemented 8 Time , Here we continue f9 perform , And record every time ecx Value . obtain ecx, namely byte_416050 The stored value of 0x2a,0xd7,0x92,0xe9,0x53,0xe2,0xc4,0xcd

And then continue to push back



 ( My expression may be a little strange , Let's make a little understanding

The next one if It doesn't matter , You can write code directly









Throw this string of characters on the Internet md5 Decrypt online , obtain flag{d2be2981b84f2a905669995873d6a36c}

I feel like I don't know anything when I do it , But after finishing, I found that I basically understood this problem , Still very happy

Sentiment :



Love is so cute

( Unconscious praise


Please bring the original link to reprint ,thank
Similar articles